If the user decides to create a form like the one
presented in Listing 2, your end result would look like this:

SELECT id, name FROM `records` LIMIT 5;
DELETE FROM `records`

There obviously are simple ways to counter such attacks, but I
have noticed that a large number of applications have no facility to
protect themselves from this type of attack.

In our particular example, calling the intval() function to
convert NUM to an integer would have provided a decent level
of security against SQL injection. However, it is important
to understand that developers can't
think about every single parameter used in all of their SQL
queries. Therefore, what you really need to do is streamline
this process in your applications.

Because modern Web-based applications commonly tend to gravitate toward
a core module or some kind of centralized switchboard system, it becomes
easy to implement such a facility application-wise.
The details of the implementation of streamlined facilities for your
applications are covered later in the
article. For now, take note of the following
quick tips that will help you build your own solution:

Use regular expressions to filter SQL commands:
this method is not appropriate if you intend to accept text from users,
but it does a good job of stopping SQL injection by filtering out SQL
keywords (Listing 3).

Use assertions: assertions are covered in more detail in later in this
article.

Escape strings:
if you do not expect to be accepting binary data as input, an
important step in securing your input is the use of string escaping.
In the example above, escaping the string would not have helped,
however; many SQL injection attacks are based on exiting the SQL query
prematurely and injecting a new query inside. This is efficiently
prevented through the use of functions, such as mysql_escape_string().

Sensitive information often is stored on database servers and other
storage facilities for later retrieval. At this point, it is critical
to have at your disposal a facility that allows you, as a developer, to
secure that data at storage time and retrieve the information you are
looking for when you need it.

PHP offers an extension that allows developers to use the Mcrypt Library
(mcrypt.sf.net) to secure data by encrypting it and
later decrypting
it. The documentation of the Mcrypt extension for PHP is
located at www.php.net/mcrypt, and it should be studied
carefully before implementation.

The Mcrypt extension supports an impressive array of algorithms, including
triple-DES, Blowfish, Twofish and Two-Way. Using the Mcrypt extension is
not a very intuitive process if you are not familiar with encryption; it
can become quite confusing because of the variety of block algorithms
and encryption modes available.
Refer to Listing 4 for a sample of what the Mcrypt extension
offers and how to use it.

Listing 4. Typical Usage of the Mcrypt Extension

<?php
/* Create your key at random
but keep it handy as you
will use it to decrypt later
*/
$key = "AOQKJLCLIGAKJHSD
<NKLXASLUIHJKHAS
OIUDSgfuyJKLBLKU";
$string = $_POST['password'];
/* First, you must open the encryption module
provided by Mcrypt */
$mod = mcrypt_module_open ('blowfish','','ecb','');
/* You must then create an Initialization Vector
based on a size and a source.
Your source can be custom, but some constants
are available.
Defining the size of the vector depends on the
module you are using */
$iv_size = mcrypt_enc_get_iv_size($mod);
/* The initialization vector will be based on $size
characters from the source /dev/random in our
example */
$iv = mcrypt_create_iv($iv_size,MCRYPT_DEV_RANDOM);
/* The next step is to ensure that your key is not
too big and truncate it if necessary */
$max_key_size = mcrypt_enc_get_key_size($mod);
$key = substr($key,0,$max_key_size);
/* You must then initialize the encryption
mechanism through mcrypt_generic_init */
mcrypt_generic_init ($mod,$key,$iv);
/* You can now encrypt your data through
the use of mcrypt_generic. The function
will return your encrypted data */
$encrypted = mcrypt_generic($mod,$string);
/* Once you have finished using Mcrypt, you
must free the buffers used during the process */
mcrypt_generic_deinit ($mod);
/* Finally, you must close the encryption module
you have used*/
mcrypt_module_close ($mod);
/* Now here is how we can decrypt our data: */
$padded = // see next line
mcrypt_decrypt('blowfish',$key,$encrypted,'ecb',$iv);
/* At this point, our decrypted string has been
zero-padded so we need to remove the extra \0s */
$plain = str_replace("\0","",$padded);
echo "Encrypted string: $encrypted<br>";
echo "Decrypted string: $plain<br>";
?>

As Linux continues to play an ever increasing role in corporate data centers and institutions, ensuring the integrity and protection of these systems must be a priority. With 60% of the world's websites and an increasing share of organization's mission-critical workloads running on Linux, failing to stop malware and other advanced threats on Linux can increasingly impact an organization's reputation and bottom line.

Most companies incorporate backup procedures for critical data, which can be restored quickly if a loss occurs. However, fewer companies are prepared for catastrophic system failures, in which they lose all data, the entire operating system, applications, settings, patches and more, reducing their system(s) to “bare metal.” After all, before data can be restored to a system, there must be a system to restore it to.

In this one hour webinar, learn how to enhance your existing backup strategies for better disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible bare-metal recovery solution for UNIX and Linux systems.